Logging
Logging is important - we love logging.
Because of this, we have included an easy to find, follow and parse log output that provides an additional layer of visibility across your Knocknoc user activity, including logins, access grants, manual interactions, as well as Administrative/management operations.
Importantly, Knocknoc events include a string "KnocknocEvent" followed by a collection of relevant key/value pairs, which can be parsed out by your favourite log aggregator/SIEM, or easily searched through syslog.
For example:
KnocknocEvent=LoginUser User=demouser ip=1.2.3.4 UserType=local request_id=cv041e4nqrrqhd74hk4g uid=0194cebb-506f-7769-bd65-b57b9bc3a4c0
| KnocknocEvent | Event | Additional data |
|
|
Successful user/admin login Successful user/admin logout |
Username, IP Address, Auth type (eg: SAML, Local) UID/internal user-id, request_ID for tracking linked events |
|
|
Granting of access to users, via Agents Manual (click to grant) interactions Additional IPs discovered as part of port-walking |
Username, IP Address, Auth type (eg: SAML, Local), UID, ACL Name, ACLID, Request_ID Any additional IPs in the case of PortWalkGrant |
AllowlistRetrieved |
API-based AllowLists successfully retrieved by consumers, eg: firewalls polling EDLs | ACL Name, IP Address (of consumer), ACLID, Format (txt/json), Request_ID |
TOTPInvalid TOTPInvalidUserTOTPValidAdmin TOTPValidUser |
Invalid TOTP provided (on valid Password) Valid TOTP provided Note: local users only, does not appear from SAML. |
Username, request_ID |
|
Audit events for logging of system/data change:
|
Create entities Delete entities Update entities Reset TOTP for local users/admins |
Includes related information, including: Entity type (eg: user, agent, ACL, etc) Entity name (eg: Bob User) Performing user (eg: Jane Admin)
IP address, internal IDs, request_ID |
These events are logged to Syslog for onward collection and parsing.
If you require additional logging you can manage the verbosity, however these logs are all by-default and on the 'info' verbosity level.
Some examples:
KnocknocEvent=LoginUser ip=1.2.3.4 UserName=dwight.schrute UserType=SAML request_id=xx uid=yy
KnocknocEvent=CreateGrant User=dwight.schrute ACL="Palo45" ip=1.2.3.4 ACLID=xx GrantID=yy UserType=SAML request_id=zz
KnocknocEvent=ManualGrant ACL="Fortinet8" UserName=dwight.schrute request_id=xx
KnocknocEvent=LogoutUser User=dwight.schrute UserType=SAML request_id=xx uid=yy
KnocknocEvent=AllowlistRetrieved ACL="SSH-NYC4" ip=1.2.3.4 aclID=xx format=txt request_id=yy
KnocknocEvent=LoginAdmin User=bob-admin ip=1.2.3.4 UserType=local request_id=xx uid=yy
KnocknocEvent=TOTPValidAdmin User=bob-admin request_id=xx
KnocknocEvent=UpdateSettings User=bob-admin request_id=xx
KnocknocEvent=LicenseKeyValidationSuccessful Expiry=2025-03-31T00:00:00Z SessionLimit=10 UserLimit=25
KnocknocEvent=CreateAgent User=bob-admin Agent={"ID":"0xx","Name":"rhel9-aws"} request_id=xx
KnocknocEvent=TOTPInvalid User=bob-admin request_id=xx